One Step Ahead
It is not unusual for fraudsters to mix and match techniques
- By Dr. Kornel Laskowski
- Jun 01, 2019
Contact center fraud is increasing
at an alarming rate, and
with no end in sight. According
to Aite Group, a research
and advisory firm, losses
incurred by account takeovers at contact
centers are expected to reach $775 million
in 2020, nearly double the amount from just
five years ago. And, while organizations that
do not have a contact center are also susceptible
to data breaches, contact centers are
unique because they potentially expose their
customer data through an additional channel,
the telephone.
This data can be accessed in several different
ways, including voice interaction with
an agent, voice interaction with an Interactive
Voice Response (IVR) system, and
DTMF interaction with an IVR system.
Traditional fraud prevention methods that
contact centers use to safeguard customer
data—such as the validation of passwords,
personal information, and originating phone
numbers—are proving to be not as effective
today as once hoped.
It is not unusual for fraudsters to mix and
match their techniques. They may attempt
to digitally breach a database server, try to
guess account passwords, or access a secure
network. But if the targeted organization
has a contact center, as many institutions in
healthcare and finance do, the savvy fraudster
is likely to make use of it. By exploiting
a contact center agent’s desire to provide
good customer service, a scammer may obtain
partial access to an account of interest.
Through each subsequent phone interaction,
he or she may be able to collect yet another
piece of Personally Identifiable Information
(PII)—such as a birth date or a social security
number. If a fraudster cannot obtain
enough PII data to breach an organization’s
security measures, he or she can supplement
it with data stolen in past data breaches.
Not only do they have multiple channels
at their disposal, but potential fraudsters also
benefit from the very nature of contact centers.
The larger the targeted organization, the more
agents are likely to be needed to staff its contact
center. This virtually ensures that a fraudster’s
every phone call is handled by a different
person, leaving the full scope of an attack
unknown. Furthermore, Caller ID spoofing
technology, which hides the true originating
location of a phone call, makes it possible to
thwart attempts to consolidate calls originating
from the same phone number.
Just as criminals are using more advanced
techniques, contact centers too must up their
game and employ new approaches to security.
One that is particularly gaining momentum
is biometrics—verifying someone based
on his/her unique observable traits rather
than knowledge of personal information.
Juniper Research predicts that the number
of mobile users authenticated via biometrics,
such as face or voice recognition, will jump
from about 429 million this year to more
than 1.5 billion in 2023.
Using Biometrics
to Prevent Fraud
Voice biometrics can address current contact
center security challenges in two main ways,
depending on whether the caller is a first-time
offender or a known perpetrator. A first-time
offense is more likely to be flagged if the active
authentication phase of a contact center
call analyzes not just the caller’s knowledge of
a password or a PII element for an account,
but also the caller’s voice. A caller whose voice
does not match that on file can be stopped before
the authentication phase is over, and not
be allowed to access the account.
Voice biometrics can also analyze a call
beyond its authentication phase, with passive
(as opposed to active) verification. Passive
verification doesn’t require the caller to do or
say anything in particular since voice analysis
occurs in the background during the caller’s
natural conversation. It leads to the accumulation
of a “voiceprint”—a set of uniquely
identifying characteristics of the human
voice—which can be compared at any time to
the account’s voiceprint on file. This enables
potential first-time fraudsters to be identified
regardless of what they are saying, leading to
real-time denial of account access.
In these ways, voice biometrics in both
active and passive modes can help to flag
potential first-time fraudsters. Of course, not
every voiceprint mismatch is a harbinger of an attack: there may be cases in which one family member legitimately
accesses the account of another. But given that fraudulent calls will
ultimately need to be reviewed via costly human listening by security
personnel, voice biometrics can dramatically reduce the amount of
audio that needs to be listened to, as well as eliminate the need for
random spot-listening. The listening effort can be directed to focus
on those calls whose risk of fraud has been estimated as high.
Such risk estimation need not rely on voice biometrics alone. Automatic
call transcription, followed by Natural Language Processing
(NLP) to identify commonly used words, phrases, and sub-dialogues,
can be effectively combined with voice biometrics to provide a stronger,
multi-faceted approach to the estimation of risk of first-time
fraud in contact centers.
Needless to say, all of the above methods can help to spot not
only first-time offenders but also repeat offenders, without modification.
However, voice biometrics can provide even more protection
against repeat offenders. Provided that a contact center is willing to
curate a database of fraudsters’ voiceprints, or retains access to a
third-party database, the voiceprint constructed and then compared
for authentication can at the same time also be compared to each
stored fraudster voiceprint. In this way, voice biometrics can simultaneously
answer the questions, “Does the current voice match the
account-holder’s voice?” and “Does the current voice match a known
fraudster’s voice?”—increasing the chances of deflecting an attack
from a repeat offender.
Finally, voice biometrics also provides a potential customer service
benefit for legitimate callers. While some contact centers may
only choose to augment the authentication phase of their calls with
active voiceprint authentication, others may choose to instead shorten
it and to rely on passive voiceprint authentication over the duration
of the entire call. Because passive authentication is transparent
to the caller, this provides a faster and easier customer experience.
This is important because legitimate callers are reportedly becoming
increasingly frustrated by the additional information they are asked
to provide for security purposes, such as answering multiple questions
and memorizing multiple passwords.
Multi-Level Security to Combat
Multi-Channel Vulnerability
Forward-thinking organizations are using voice biometrics as part of
a larger strategic security approach to gain greater protection. A best
practice is to implement multiple levels of security to impede scammers.
Device identification, knowledge-based authentication, cross
channel behavior analysis and voice biometric recognition are part
of an effective security practice, according to Gartner Research, an
advisory firm. Implementing analytics across channels to identify red
flags is necessary since fraudsters are exploiting any and all channels
to penetrate customer accounts.
As the saying goes, the best defense is a good offense. Proactively
integrating voice biometrics into a multi-layered security approach
can go a long way to preventing security attacks
before they happen. Not only can it help organizations
safeguard the privacy of their customers,
but it can also improve customer experience along
the way.
This article originally appeared in the May/June 2019 issue of Security Today.